Runner on Svtter's Bloghttps://svtter.cn/tags/runner/Recent content in Runner on Svtter's BlogHugo -- gohugo.iozh-cnWed, 17 Jun 2026 23:50:25 +0800迁移到 Gitea Actions:kill-PAT 完整方案https://svtter.cn/p/%E8%BF%81%E7%A7%BB%E5%88%B0-gitea-actionskill-pat-%E5%AE%8C%E6%95%B4%E6%96%B9%E6%A1%88/Wed, 17 Jun 2026 23:55:31 +0800https://svtter.cn/p/%E8%BF%81%E7%A7%BB%E5%88%B0-gitea-actionskill-pat-%E5%AE%8C%E6%95%B4%E6%96%B9%E6%A1%88/<img src="https://svtter.cn/p/%E8%BF%81%E7%A7%BB%E5%88%B0-gitea-actionskill-pat-%E5%AE%8C%E6%95%B4%E6%96%B9%E6%A1%88/pics/cover_1781711699.png" alt="Featured image of post 迁移到 Gitea Actions:kill-PAT 完整方案" /><blockquote> <p>由于 GitHub 近期的不稳定,以及自建的 runner 消耗比较多的上下行流量,我尝试将代码仓库迁移到 gitea。在这个过程中,我踩了不少 runner 的坑。这里记录一下。</p> </blockquote> <h2 id="tldr">TL;DR </h2><p>如果读者希望自己的 LLM 不踩坑,可以这样:</p> <blockquote> <p>这是别人迁移 gitea 的时候踩的坑,我希望你做参考。&lt;本文链接&gt;</p> </blockquote> <p><strong>状态</strong>:闭环验证通过(2026-06-17,run #39404 / PR #5)(inside id) <strong>适用</strong>:self-hosted Gitea 1.26.x + gitea-runner 1.0.8 + 自签证书环境 <strong>详细调查记录</strong>:<code>journal/2026-06-17-default-actions-url-self-investigation.md</code>(续一~续四)(svtter/ops journal)</p> <hr> <h2 id="背景">背景 </h2><p>把 GitHub Actions workflow(<code>sun-praise/latex-agent</code> 21 个 workflow)迁到内网 Gitea。目标是<strong>杀掉 Personal Access Token(PAT)</strong>,让所有跨仓 action 访问用 gitea 原生的 job token + <code>DEFAULT_ACTIONS_URL=self</code> 机制。</p> <p>PAT 方案(06-14 journal 记录)能用但脏:每个消费方仓要存 <code>OPENCODE_ACTIONS_PAT</code> secret,action 代码要做本地 checkout workaround。kill-PAT 后 workflow 写法干净(<code>uses: org/action@ref</code> 直接生效),跟 GitHub Actions 一致。</p> <hr> <h2 id="前置条件">前置条件 </h2><table> <thead> <tr> <th>项</th> <th>要求</th> </tr> </thead> <tbody> <tr> <td>Gitea 版本</td> <td>≥ 1.26.2(含 PR #32562 collaborative owners + #36173 job token 跨仓权限)</td> </tr> <tr> <td>Runner</td> <td>gitea-runner 1.0.8(act_runner 改名后的新仓 <code>gitea.com/gitea/runner</code>)</td> </tr> <tr> <td>网络</td> <td>runner host 能访问 gitea server(同内网)</td> </tr> <tr> <td>证书</td> <td>自签或受信任 CA(本方案处理自签场景)</td> </tr> </tbody> </table> <hr> <h2 id="核心配置5-处改动">核心配置(5 处改动) </h2><h3 id="1-gitea-server启用-self-模式">1. Gitea server:启用 self 模式 </h3><p><code>/volume1/docker/gitea/gitea/gitea/conf/app.ini</code>(容器内 <code>/data/gitea/conf/app.ini</code>):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-ini" data-lang="ini"><span class="line"><span class="cl"><span class="k">[actions]</span> </span></span><span class="line"><span class="cl"><span class="na">ENABLED</span> <span class="o">=</span> <span class="s">true</span> </span></span><span class="line"><span class="cl"><span class="na">DEFAULT_ACTIONS_URL</span> <span class="o">=</span> <span class="s">self</span> </span></span></code></pre></td></tr></table> </div> </div><p>重启 gitea:<code>docker compose restart server</code>。</p> <p><strong>验证</strong>:改成 <code>bogus_value</code> 重启应启动失败,证明配置在读。</p> <h3 id="2-runner-注册地址对齐-gitea-appurl">2. Runner 注册地址对齐 gitea AppURL </h3><p><code>/var/lib/act_runner/.runner</code>(runner host 上):</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-json" data-lang="json"><span class="line"><span class="cl"><span class="p">{</span> </span></span><span class="line"><span class="cl"> <span class="nt">&#34;address&#34;</span><span class="p">:</span> <span class="s2">&#34;https://gitea.my-nas.lan&#34;</span><span class="p">,</span> </span></span><span class="line"><span class="cl"> <span class="err">...</span> </span></span><span class="line"><span class="cl"><span class="p">}</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>必须跟 gitea 的 <code>ROOT_URL</code> / <code>AppURL</code> host 完全一致</strong>。否则 <code>shouldCloneURLUseToken</code>(<code>act/runner/reusable_workflow.go:306</code>)做 host 字符串比较会 mismatch → 跨仓 clone 不带 token → 401。</p> <p>我们这里 <code>gitea.local</code>(旧注册)→ <code>gitea.my-nas.lan</code>(gitea AppURL)。</p> <h3 id="3-runner-image自构建cert--gitconfig--curlrc">3. Runner image:自构建(cert + gitconfig + curlrc) </h3><p>官方 <code>gitea/runner-images:ubuntu-latest</code> 在自签证书环境会撞 TLS 校验。自构建一层 overlay:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span><span class="lnt">3 </span><span class="lnt">4 </span><span class="lnt">5 </span><span class="lnt">6 </span><span class="lnt">7 </span><span class="lnt">8 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-dockerfile" data-lang="dockerfile"><span class="line"><span class="cl"><span class="k">FROM</span><span class="w"> </span><span class="s">gitea/runner-images:ubuntu-latest</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">COPY</span> gitea-my-nas.crt /usr/local/share/ca-certificates/gitea-my-nas.crt<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> update-ca-certificates<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> git config --global http.sslVerify false<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> git config --system http.sslVerify false<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="c"># curl 单独一条线,跟 git 的 TLS 校验独立</span><span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> <span class="nb">echo</span> <span class="s2">&#34;insecure&#34;</span> &gt; /root/.curlrc<span class="err"> </span></span></span><span class="line"><span class="cl"><span class="k">RUN</span> <span class="nb">echo</span> <span class="s2">&#34;insecure&#34;</span> &gt; /home/ubuntu/.curlrc <span class="o">&amp;&amp;</span> chown ubuntu:ubuntu /home/ubuntu/.curlrc<span class="err"> </span></span></span></code></pre></td></tr></table> </div> </div><p>构建 + 打 tag:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">sudo docker build -t gitea/runner-images:ubuntu-latest-gitea-self ~/runner-image-build </span></span></code></pre></td></tr></table> </div> </div><p><strong>关键</strong>:<code>gitea-my-nas.crt</code> 是 gitea 的 self-signed leaf 证书(NAS 上 <code>/volume1/docker/gitea/gitea/gitea/npm-gitea.cert.pem</code>)。<code>update-ca-certificates</code> 装它其实无效(leaf 不是 CA),但留着没坏处。真正起作用的是 git/curl 的 sslVerify/insecure。</p> <h3 id="4-runner-configyamllabels--force_pull">4. Runner config.yaml:labels + force_pull </h3><p><code>/var/lib/act_runner/config.yaml</code>:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">runner</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">labels</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">ubuntu-latest:docker://gitea/runner-images:ubuntu-latest-gitea-self</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">ubuntu-22.04:docker://gitea/runner-images:ubuntu-22.04</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="l">ubuntu-20.04:docker://gitea/runner-images:ubuntu-20.04</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">container</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">force_pull</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span><span class="c"># 默认 true,离线环境必须关</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">options</span><span class="p">:</span><span class="w"> </span>--<span class="l">user ubuntu -v /etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">valid_volumes</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="s1">&#39;**&#39;</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p><strong>两个关键点</strong>:</p> <ul> <li><code>config.yaml</code> 是 source of truth,daemon 启动时<strong>覆盖</strong> <code>.runner</code> 文件。改 <code>.runner</code> labels 无效。</li> <li><code>force_pull: true</code> 每次都去 docker hub 拉 image,runner host 访问不了 hub 就全挂。离线必须 <code>false</code>。</li> </ul> <h3 id="5-actions-org--公共-action-镜像">5. actions org + 公共 action 镜像 </h3><p>消费方 workflow 里 <code>uses: actions/cache@v5</code> 这种<strong>裸写</strong>的公共 action,在 <code>self</code> 模式下会解析到 <code>gitea.local/actions/cache</code>。需要镜像。</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl"><span class="c1"># 建 org(用 admin token)</span> </span></span><span class="line"><span class="cl">curl -X POST <span class="s2">&#34;</span><span class="nv">$GITEA</span><span class="s2">/api/v1/orgs&#34;</span> -H <span class="s2">&#34;Authorization: token </span><span class="nv">$TOKEN</span><span class="s2">&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -d <span class="s1">&#39;{&#34;username&#34;:&#34;actions&#34;,&#34;visibility&#34;:&#34;public&#34;}&#39;</span> </span></span><span class="line"><span class="cl"> </span></span><span class="line"><span class="cl"><span class="c1"># 镜像 actions/cache(pull mirror,168h 自动同步)</span> </span></span><span class="line"><span class="cl">curl -X POST <span class="s2">&#34;</span><span class="nv">$GITEA</span><span class="s2">/api/v1/repos/migrate&#34;</span> -H <span class="s2">&#34;Authorization: token </span><span class="nv">$TOKEN</span><span class="s2">&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -d <span class="s1">&#39;{ </span></span></span><span class="line"><span class="cl"><span class="s1"> &#34;clone_addr&#34;: &#34;https://github.com/actions/cache.git&#34;, </span></span></span><span class="line"><span class="cl"><span class="s1"> &#34;repo_owner&#34;: &#34;actions&#34;, </span></span></span><span class="line"><span class="cl"><span class="s1"> &#34;repo_name&#34;: &#34;cache&#34;, </span></span></span><span class="line"><span class="cl"><span class="s1"> &#34;service&#34;: &#34;github&#34;, </span></span></span><span class="line"><span class="cl"><span class="s1"> &#34;mirror&#34;: true, </span></span></span><span class="line"><span class="cl"><span class="s1"> &#34;mirror_interval&#34;: &#34;168h&#34;, </span></span></span><span class="line"><span class="cl"><span class="s1"> &#34;private&#34;: false, </span></span></span><span class="line"><span class="cl"><span class="s1"> &#34;releases&#34;: true </span></span></span><span class="line"><span class="cl"><span class="s1"> }&#39;</span> </span></span></code></pre></td></tr></table> </div> </div><p><strong>org 必须是 public</strong>——private org 即使 repo 标 public,对外仍不可见(anonymous git 访问 401)。</p> <p>按 workflow 实际 <code>uses:</code> 列表镜像。常见需要:<code>actions/checkout</code>(如果不用绝对 URL)、<code>actions/cache</code>、<code>actions/setup-node</code> 等。我们这次 workflow 对 <code>actions/checkout</code> 用了绝对 URL(<code>uses: https://github.com/actions/checkout@v4</code>),只需镜像 <code>actions/cache</code>(multi-review 传递依赖)。</p> <hr> <h2 id="workflow-改造">Workflow 改造 </h2><p>消费方仓的 workflow 从 PAT+local-checkout 配方改成干净 native uses:</p> <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt"> 1 </span><span class="lnt"> 2 </span><span class="lnt"> 3 </span><span class="lnt"> 4 </span><span class="lnt"> 5 </span><span class="lnt"> 6 </span><span class="lnt"> 7 </span><span class="lnt"> 8 </span><span class="lnt"> 9 </span><span class="lnt">10 </span><span class="lnt">11 </span><span class="lnt">12 </span><span class="lnt">13 </span><span class="lnt">14 </span><span class="lnt">15 </span><span class="lnt">16 </span><span class="lnt">17 </span><span class="lnt">18 </span><span class="lnt">19 </span><span class="lnt">20 </span><span class="lnt">21 </span><span class="lnt">22 </span><span class="lnt">23 </span><span class="lnt">24 </span><span class="lnt">25 </span><span class="lnt">26 </span><span class="lnt">27 </span><span class="lnt">28 </span><span class="lnt">29 </span><span class="lnt">30 </span><span class="lnt">31 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-yaml" data-lang="yaml"><span class="line"><span class="cl"><span class="nt">name</span><span class="p">:</span><span class="w"> </span><span class="l">review</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">on</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="l">pull_request]</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">permissions</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">contents</span><span class="p">:</span><span class="w"> </span><span class="l">read</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">pull-requests</span><span class="p">:</span><span class="w"> </span><span class="l">write</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="nt">jobs</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">review</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">runs-on</span><span class="p">:</span><span class="w"> </span><span class="l">ubuntu-latest</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">env</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">GIT_SSL_NO_VERIFY</span><span class="p">:</span><span class="w"> </span><span class="s1">&#39;1&#39;</span><span class="w"> </span><span class="c"># action 内部 git 的 TLS 兜底</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">steps</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># 公共 action:绝对 URL 绕过 self 解析,直接从 github 拉</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">https://github.com/actions/checkout@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">fetch-depth</span><span class="p">:</span><span class="w"> </span><span class="m">0</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="c"># 自有 action:裸写,self 解析到本地 gitea</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span>- <span class="nt">uses</span><span class="p">:</span><span class="w"> </span><span class="l">sun-praise/opencode-actions/multi-review@v4</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">with</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">model</span><span class="p">:</span><span class="w"> </span><span class="l">litellm/deepseek-v4-flash</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">cache</span><span class="p">:</span><span class="w"> </span><span class="kc">false</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">default-team</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;quality:1&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">timeout-seconds</span><span class="p">:</span><span class="w"> </span><span class="s2">&#34;300&#34;</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">gitea-token</span><span class="p">:</span><span class="w"> </span><span class="l">${{ secrets.GITHUB_TOKEN }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">litellm-url</span><span class="p">:</span><span class="w"> </span><span class="l">${{ secrets.LITELLM_URL }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">litellm-api-key</span><span class="p">:</span><span class="w"> </span><span class="l">${{ secrets.LITELLM_API_KEY }}</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">env</span><span class="p">:</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">GITEA_API_URL</span><span class="p">:</span><span class="w"> </span><span class="l">${{ github.server_url }}/api/v1</span><span class="w"> </span></span></span><span class="line"><span class="cl"><span class="w"> </span><span class="nt">GITEA_TOKEN</span><span class="p">:</span><span class="w"> </span><span class="l">${{ secrets.GITHUB_TOKEN }}</span><span class="w"> </span></span></span></code></pre></td></tr></table> </div> </div><p><strong>关键约定</strong>:</p> <ul> <li><code>GITHUB_TOKEN</code>(gitea Actions 自动注入的 job token)替代 PAT。所有跨仓认证用它。</li> <li><code>permissions:</code> 显式声明,受 org/repo Actions 设置 clamp(PR #36173)。</li> <li>公共 action 用绝对 URL 或镜像——二选一,看是否要 forward compat(绝对 URL 写法在 GitHub 上也认,镜像写法只在 gitea 上认)。</li> </ul> <hr> <h2 id="gitea-仓级配置">Gitea 仓级配置 </h2><p>消费方仓的 <code>Settings → Actions → General</code>:</p> <ul> <li><strong>Actions enabled</strong>:开</li> <li><strong>Default Actions Permissions</strong>:Allow all actions(或按需 restrict)</li> <li><strong>Cross-Repository Access</strong>:Selected,勾上消费方要用的所有自有 action repo(如 <code>opencode-actions</code>)——这是 PR #32562 collaborative owners 功能,让 job token 能跨仓读</li> </ul> <p>自有 action 仓(<code>sun-praise/opencode-actions</code>):</p> <ul> <li>可以是 private(job token 通过 collaborative owners 有读权限)</li> </ul> <hr> <h2 id="验证">验证 </h2><h3 id="闭环验证推荐">闭环验证(推荐) </h3><p>消费方仓提一个测试 PR,触发 <code>on: pull_request</code> workflow。预期:</p> <ol> <li>workflow run status → success</li> <li>PR 上出现 review 评论(或 action 的预期产出)</li> </ol> <h3 id="分层验证debug-用">分层验证(debug 用) </h3><table> <thead> <tr> <th>层</th> <th>验证方法</th> </tr> </thead> <tbody> <tr> <td>gitea self 配置</td> <td><code>app.ini</code> 改 <code>bogus_value</code> 重启应失败</td> </tr> <tr> <td>runner URL 对齐</td> <td><code>.runner</code> address == gitea <code>AppURL</code> host</td> </tr> <tr> <td>runner image TLS</td> <td>container 内 <code>curl -sI https://gitea.../api/v1/version</code> 不报证书错</td> </tr> <tr> <td>actions mirror</td> <td><code>curl https://gitea.local/actions/cache.git/info/refs?service=git-upload-pack</code> 匿名 200</td> </tr> <tr> <td>job token 跨仓</td> <td>DB 查 <code>action_run_job.token_permissions</code>,Code unit 有 read 权限</td> </tr> </tbody> </table> <hr> <h2 id="真正-kill-pat闭环验证通过后">真正 kill PAT(闭环验证通过后) </h2><ol> <li><strong>删消费方仓的 <code>OPENCODE_ACTIONS_PAT</code> secret</strong>: <div class="highlight"><div class="chroma"> <table class="lntable"><tr><td class="lntd"> <pre tabindex="0" class="chroma"><code><span class="lnt">1 </span><span class="lnt">2 </span></code></pre></td> <td class="lntd"> <pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="cl">curl -X DELETE <span class="s2">&#34;</span><span class="nv">$GITEA</span><span class="s2">/api/v1/repos/&lt;owner&gt;/&lt;repo&gt;/actions/secrets/OPENCODE_ACTIONS_PAT&#34;</span> <span class="se">\ </span></span></span><span class="line"><span class="cl"> -H <span class="s2">&#34;Authorization: token </span><span class="nv">$ADMIN_TOKEN</span><span class="s2">&#34;</span> </span></span></code></pre></td></tr></table> </div> </div></li> <li><strong>删 org 级 PAT</strong>(如果之前配在 org):同上换 <code>/orgs/&lt;org&gt;/actions/secrets/</code></li> <li><strong>revoke admin 用户 token</strong>:web UI → Settings → Applications → Revoke</li> <li><strong>workflow 文件清理</strong>:去掉 PAT 相关的 <code>with:</code> 和本地 checkout workaround</li> </ol> <hr> <h2 id="踩坑总结按踩中顺序">踩坑总结(按踩中顺序) </h2><ol> <li><strong>以为 act_runner 有 bug</strong>——读了三仓源码,写了 patch,最后发现是配置问题。教训:先怀疑配置,再怀疑代码。</li> <li><strong><code>.runner</code> 文件改了不生效</strong>——daemon 用 <code>config.yaml</code> 覆盖。改 labels 要改 config.yaml。</li> <li><strong><code>update-ca-certificates</code> 装自签 leaf 无效</strong>——leaf 不是 CA,不能签其他证书。要靠 sslVerify/insecure 绕。</li> <li><strong>git 和 curl 的 TLS 校验独立</strong>——git 的 sslVerify=false 不管 curl。curl 读 <code>~/.curlrc</code>(不是 <code>/etc/curlrc</code>)。</li> <li><strong><code>force_pull: true</code> 离线致命</strong>——每次 run 强拉 docker hub。离线必关。</li> <li><strong>private org 的 public repo 仍不可见</strong>——org visibility 是外层约束。镜像公共 action 的 org 必须 public。</li> <li><strong>host 字符串严格相等</strong>——<code>gitea.local</code> ≠ <code>gitea.my-nas.lan</code>,即使解析到同 IP。runner 注册地址必须跟 gitea AppURL 完全一致。</li> <li><strong>闭环验证才算数</strong>——每层&quot;通了&quot;都是局部判断。multi-review 真跑通 PR review + post 评论,端到端通了才算。</li> </ol> <hr> <h2 id="参考链接">参考链接 </h2><ul> <li>调查 journal:<code>journal/2026-06-17-default-actions-url-self-investigation.md</code>(续一~续四)</li> <li>gitea PR #32562(collaborative owners):https://github.com/go-gitea/gitea/pull/32562</li> <li>gitea PR #36173(job token 权限):https://github.com/go-gitea/gitea/pull/36173</li> <li>gitea issue #36817(self 模式的误报):https://github.com/go-gitea/gitea/issues/36817</li> <li>act_runner 源码:https://gitea.com/gitea/runner</li> <li>runner image 源码:https://gitea.com/gitea/runner_images</li> </ul> <hr> <h2 id="附录本次验证的实际-run">附录:本次验证的实际 run </h2><ul> <li><strong>PR</strong>:https://gitea.my-nas.lan/sun-praise/test-opencode-consumer/pulls/5</li> <li><strong>Run</strong>:https://gitea.my-nas.lan/sun-praise/test-opencode-consumer/actions/runs/39404</li> <li><strong>结果</strong>:multi-review 拿到 PR diff(1282 chars)→ 调 LiteLLM/DeepSeek review → post 评论到 PR。全程零 PAT。</li> </ul>